cyradm auth mechanism

carole gimenez gimenez at cict.fr
Tue Jul 5 03:30:43 EDT 2005


Hi,

I use cyrus-imapd with ldap authentication but i don't use pts for that 
and it works well.

My config is the following:

* /etc/saslauthd.conf
ldap_servers: ldaps://pc-systeme.cict.fr:636/
ldap_auth_method: custom
ldap_bind_dn: uid=cyrus,ou=appli,dc=ups-tlse,dc=fr
ldap_password: xxxxxx
ldap_search_base: dc=ups-tlse,dc=fr
ldap_tls_check_peer: yes
ldap_tls_cacert_file: /usr/share/ssl/mon_AC/private/mon_AC.crt

* /etc/cyrus.conf
SERVICES {
  # add or remove based on preferences
  #imap         cmd="imapd" listen="imap" prefork=0
  imaplocal     cmd="imapd -C /etc/imapd-local.conf" 
listen="127.0.0.1:imap" prefork=0
  imaps         cmd="imapd -s -U 30" listen="x.x.x.x:imaps" prefork=0 
maxchild=100
#  pop3         cmd="pop3d" listen="pop3" prefork=0
#  pop3s                cmd="pop3d -s" listen="pop3s" prefork=0
  sieve         cmd="timsieved" listen="sieve" prefork=0

  # these are only necessary if receiving/exporting usenet via NNTP
  #  nntp               cmd="nntpd" listen="nntp" prefork=0
  #  nntps              cmd="nntpd -s" listen="nntps" prefork=0

  # at least one LMTP is required for delivery
  #  lmtp               cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0 
maxchild=20

  # this is only necessary if using notifications
   notify       cmd="notifyd" listen="/var/imap/socket/notify" 
proto="udp" prefork=1
}

* /etc/imapd-local.conf
configdirectory: /var/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
maxmessagesize: 5000000
sasl_pwcheck_method: saslauthd
sasl_option: 1
sasl_mech_list: plain
servername: pc-systeme.cict.fr
autocreatequota: 10000
lmtp_downcase_rcpt: 1
mailnotifier: log
sievenotifier: log

# ps -ef | grep cyrus
cyrus    17522     1  0 09:16 pts/0    00:00:00 
/usr/local/cyrus_imapd/cyrus/bin/master
cyrus    17531 17522  0 09:16 pts/0    00:00:00 notifyd

# ps -ef | grep ldap
serveur  17187     1  0 04:03 ?        00:00:00 
/usr/local/openldap/libexec/slapd -h ldaps:/// ldap://127.0.0.1/ 
ldap://pc-systeme.cict.fr:389/ -f 
/usr/local/openldap/etc/openldap/slapd.conf -u serveur -g serveur
root     17521     1  0 09:16 ?        00:00:00 /usr/sbin/saslauthd -a 
ldap -c -t 30
root     17523 17521  0 09:16 ?        00:00:00 /usr/sbin/saslauthd -a 
ldap -c -t 30
root     17524 17521  0 09:16 ?        00:00:00 /usr/sbin/saslauthd -a 
ldap -c -t 30
root     17525 17521  0 09:16 ?        00:00:00 /usr/sbin/saslauthd -a 
ldap -c -t 30
root     17526 17521  0 09:16 ?        00:00:00 /usr/sbin/saslauthd -a 
ldap -c -t 30


I hope that will help you.

Carole.


Thomas Vogt wrote:

> Hi Igor
>
>>> I've a problem with my new clean, cyrus installation. I  can't  
>>> login with my cyradm admin account. The account information is  
>>> stored in my ldap database. The sasldb2 is empty. I don't use it.  
>>> Can you give me some advice?
>>>
>>> For cyradm I use this command:
>>> cyradm --user nmeth2vdiysttboz --server localhost --auth plain
>>> Password:
>>> IMAP Password: <i use the ldap password here>
>>>
>>> Error message:
>>> Invalid user at /usr/local/lib/perl5/site_perl/5.8.7/mach/Cyrus/ 
>>> IMAP/Admin.pm line 118
>>> cyradm: cannot authenticate to server with plain as nmeth2vdiysttboz
>>>
>>> Logfile:
>>> Jul  4 21:00:36 mail03 imap[58290]: badlogin: localhost  [127.0.0.1] 
>>> PLAIN [SASL(-16): encryption needed to use mechanism:  security 
>>> flags do not match
>>>
>>               ^^^^^^^^^^
>> This error is self explanatory.
>
>
> I added this options below to my imapd.conf. But I still get the same  
> error message. I don't want to use any encryption. The password is  
> stored as md5 hash in the ldap database. As far as I know this limits  
> my ability for secure authentication anyway.
>
> allowplaintext: yes
> sasl_mech_list: PLAIN
> sasl_minimum_layer: 0
>
> I've compiled sasl with
>
> ./configure --sysconfdir=/usr/local/etc --with-plugindir=/usr/local/ 
> lib/sasl2 --with-dbpath=/usr/local/etc/sasldb2 --includedir=/usr/ 
> local/include --mandir=/usr/local/man --enable-static --enable-auth- 
> sasldb --with-rc4=openssl --with-ldap --with-saslauthd=/var/state/ 
> saslauthd --with-dblib=ndbm --without-mysql --without-pgsql --without- 
> sqlite --enable-login --disable-ntlm --disable-gssapi --disable-krb4  
> --with-openssl=yes --prefix=/usr/local
>
>
>>
>>
>>> Jul  4 21:00:39 mail03 perl: No worthy mechs found
>>> Jul  4 21:00:40 mail03 imap[58290]: ptload(): bad response from  
>>> ptloader server: identifier not found
>>>
>>
>> pts/ldap configuration problem.  Double check ldap_* params in  
>> imapd.conf.
>>
>> Is there a reason you are using pts authorization module?
>
>
> I thought this is the best way for my enviroment. Every User  
> information is stored in my ldap server. uid, maildrop, password ....
> I don't like pam_ldap. My older servers are using auth_unix but I've  
> modified this for ldap. Since my patch no longer works, I decided to  
> use a direct ldap auth version. But I can try other auth mech, if  
> this is possible with ldap.
>
>>> Jul  4 21:00:40 mail03 imap[58290]: bad userid authenticated
>>> Jul  4 21:00:40 mail03 imap[58290]: badlogin: localhost  [127.0.0.1] 
>>> plaintext nmeth2vdiysttboz invalid user
>>>
>>> testsaslauthd -u nmeth2vdiysttboz -p 1234
>>> 0: OK "Success."
>>>
>>> imtest -m LOGIN -a nmeth2vdiysttboz localhost
>>> S: * OK mail03.test.ch Cyrus IMAP4 v2.2.12 server ready
>>> C: C01 CAPABILITY
>>> S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX- 
>>> REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN  
>>> MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES  
>>> ANNOTATEMORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
>>> S: C01 OK Completed
>>> Please enter your password: <type in here>
>>> C: L01 LOGIN nmeth2vdiysttboz {16}
>>> S: L01 NO Invalid user
>>> Authentication failed. generic failure
>>> Security strength factor: 0
>>>
>>> ldap entry for admin:
>>>
>>> # nmeth2vdiysttboz, people, test, test.ch
>>> dn: uid=nmeth2vdiysttboz,ou=people,ou=test,dc=test,dc=ch
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: inetOrgPerson
>>> uid: nmeth2vdiysttboz
>>> cn: Cyrus Admin
>>> userPassword:: 1234
>>>
>>>
>>> saslauthd.conf
>>> ldap_servers: ldap://127.0.0.1/
>>> ldap_search_base: ou=people,ou=test,dc=test,dc=ch
>>>
>>>
>>> imapd.conf:
>>> configdirectory: /m/imap
>>> partition-default: /m/spool/imap
>>> allowplaintext: yes
>>> admins: nmeth2vdiysttboz
>>> quotawarn: 90
>>> timeout: 30
>>> imapidlepoll: 60
>>> poptimeout: 10
>>> logtimestamps: yes
>>> singleinstancestore: yes
>>> sieveusehomedir: false
>>> sievedir: /m/imap/sieve
>>> hashimapspool: true
>>>
>>> sasl_pwcheck_method: saslauthd
>>> sasl_mech_list: plain login
>>>
>>> ptloader_sock: /var/imap/socket/ptsock
>>> lmtpsocket: /var/imap/socket/lmtp
>>> idlesocket: /var/imap/socket/idle
>>> notifysocket: /var/imap/socket/notify
>>>
>>> ldap_base: dc=test,dc=ch
>>> ldap_deref: search
>>> ldap_sasl: 0
>>> ldap_group_scope: sub
>>> ldap_bind_dn: dc=test,dc=ch
>>> ldap_restart: 1
>>> ldap_scope: sub
>>> ldap_start_tls: 0
>>> ldap_time_limit: 10
>>> ldap_timeout: 15
>>> ptscache_timeout: 1
>>> ldap_tls_check_peer: no
>>> ldap_tls_ciphers: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
>>> ldap_uri: ldap://127.0.0.1/
>>>
>>
>> Do you need ldap_password here?
>
>
> No. There is no password protection.
>
>>   Can you debug slapd?
>
>
> I will do that. But first I will fix my "sasl mech problem"
>
>>> Saslauth runs with -a ldap
>>> slapd runs with -h "ldapi:///var/run/openldap/ldapi/ ldap:// 
>>> 127.0.0.1 "
>>>
>>                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> This will not work, although saslauthd is working fine with you  
>> current configuration.  (Use ldapi://%2fvar%2frun%2fopenldap%2fldapi/
>
>
> Thank you.
>
>
> Regards,
> Thomas
> ---
> Cyrus Home Page: http://asg.web.cmu.edu/cyrus
> Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
>
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list